Krebs on Security

In-depth security news and investigation

Yahoo Email-Stealing Exploit Fetches $700

A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

The hacker posted the following video to demonstrate the exploit for potential buyers. I’ve reproduced it and published it to youtube.

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

KrebsOnSecurity.com alerted Yahoo! to the vulnerability, and the company says it is responding to the issue. Ramses Martinez, director of security at Yahoo!, said the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video.

“Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”

According to the Open Web Application Security Project (OWASP), XSS flaws fall into two categories: Stored, and reflected. TheHell said his exploit attacks a stored XSS vulnerability, in which the injected code is permanently stored on the target servers, such as in a database, message forum, visitor log, or comment field. The victim’s browser then retrieves the malicious script from the server when it requests the stored information.

As powerful as XSS attacks can be, they are unfortunately also extremely common. Xssed.com, the definitive archive of reported XSS vulnerabilities, lets users index them by Google Pagerank, making it quite easy to find several examples of other unfixed and recently-patched XSS flaws in yahoo.com and other properties. Also, the Open Source Vulnerability Database (OSVDB) lists new and fixed vulnerabilities by vendor.

These types of vulnerabilities are a good reminder to be especially cautious about clicking links in emails from strangers or in messages that you were not expecting.

You don’t have to cater to cybercrooks to make money finding vulnerabilities in software, hardware and online services. Many companies pay researchers to report flaws, including Facebook, Google, Mozilla, CCBill and Piwik. Yahoo doesn’t have a bug bounty program, but if it modeled one after Google’s program this vulnerability would be worth $1,337. Also, Verisign’s iDefense and Tipping Point both purchase vulnerability research.

In addition, a number of companies allow researchers to legally probe their networks and services for vulnerabilities. The list below comes from the blog of noted security expert Dan Kaminsky:

This entry was posted on Friday, November 23rd, 2012 at 12:01 am and is filed under Latest Warnings.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

21 comments

Broken security is broken?! … is *blacklisting* code and/or offending URLs really best practice or is it just me who’s puzzled? (Hope they have fun “watching the video” to identify “the exact yahoo.com URL that triggers the exploit”… */facepalm*)

I think it depends. With this attack, it would still work if you clicked the link in your email client and were signed in to yahoo.com, or had it set to remember your cookie and not bother you for a password.

I think this isn’t the first time Yahoo email got hit. Another party’s account was hit and got my email address and sent me some malicious junk. I use a mail client, Mozilla Thunderbird, and keep the online boxes, including trash, emptied.

There are a lot of reports that people are getting texts, calling them by name, from textplus numbers wanting the recipient to add an unknown person to Y! Messenger. They seem to be getting names and mobile numbers from Facebook. I wonder if the plan is to hijack the email accounts, using this exploit.

A XSS able to steal session cookie? It suggests Yahoo session cookie is not set with the httpOnly flag, which make a cookie unaccessible by JavaScript. Is there any good reason why Yahoo would not use that flag?

Sounds like this is the way my Yahoo account was hijacked. All I did was click a link from my iPhone mail app, and next thing I knew, the same link was being forwarded from my account. Here are two blogs that post about being stung by the same link that got me, a site that looked like an MSN domain, upon quick glance (I didn’t want to post the direct link but you’ll see it in these blogs).

So you clicked on a link that looked like something at MSN but obfuscated a site in russia (178.208.137.39) and took over your account to spam all your contacts and/or others…

While Google Safe Browsing, Norton Safe Web, VirusTotal and all others said the site was clean they can’t verify what code was delivered if someone came with a HTTP referer that told them you are their spam vitim. (And retroactively nobody can tell because the domain was deleted – although there are many clones out there…)

At least change your passwords… (and NEVER EVER click any links you are not absolutely sure that they are safe again – particularly if received by email).